Tag Archives: CPE

It’s been about a month since the CCIE Continuing Education program was announced ahead of Cisco Live. There was a fair amount of discussion about it both on this blog as well as other places, like Jeff Fry’s post. Overall, the response has been positive. However, there are a few questions and ideas about the program that are simply not true. And no, this is not The Death Of The CCIE Program (just Google it). So, let’s take a look at this edition of Mythbusters for the CCIE CE program.

Myth #1: The CE Program Is Just A Way For Cisco To Sell More Training

This was a good one. The list of CE classes that was release at the beginning of the program included Cisco Live classes as well as Cisco Authorized training classes. Those were the only thing on the list as of right now. When some people saw the list, they jumped to the conclusion that the reason why the CE program exists is because Cisco wants to push their training courses. Let’s look at that.

Let’s say you want to start a global program that requires people to keep track of their training credits to turn them in for some kind of reward, whether it be money or credit for something else. Do you:

Open the program for submissions of any kind and then hire a team to sort through them all to verify that they are legitmate

Use a small list of verified submissions that can be audited at any time internally and are known to be of good quality based on existing metrics

I can only imagine that you would pick #2 every time. Remember that the CCIE CE program is barely a month old. It was announced so people could start taking advantage of it at Cisco Live. The list of classes included on the list was small on purpose. They were Cisco affiliated classes on purpose. The CCIE team can audit these classes easily with internal metrics. They can drop in on them and ensure the content is high quality and appropriate for learners. They can revoke classes deemed too easy or add advanced classes at any time.

The list of training classes looks the way it does because Cisco thinks that these are classes that CCIEs would learn from. They weren’t picked at random to get class sizes higher or to make more profit for Cisco. These classes are something that people would benefit from. And if you’re going to be taking the class anyway or are looking to take a class on a subject, wouldn’t you rather take one that you can get extra credit for?

Myth #2: The CCIE CE Program Was Designed to Sell More Cisco Live Conference Passes

Another chuckle-worthy conclusion about the CCIE CE program. People assumed that because Cisco Live courses were included in the acceptable courses for CE credits, Cisco must obviously be trying to push people to register for more Cisco Live courses, right?

It is true that the CCIE CE program was announced right before Cisco Live 2017. I personally think that was so the CCIEs attending the conference could get credit toward any classes they had booked already. Yes, the courses count. And yes, the longer 4-hour and 8-hour Techtorial classes count for more credits than the 1-hour sessions. But, there is a limit to how many classes count for credit at Cisco Live in total. And there is a cap of 70 credits per cycle on Cisco Live credits in total.

Even if Cisco wanted to use the CCIE CE program to push Cisco Live attendance, this isn’t the best way to do it. The Cisco Live option was to reward those that went anyway for things like advanced training classes and the CCIE NetVet lunch with the CEO. If Cisco wanted to make the CCIE dependent on Cisco Live, they could easily go back to the model of a specific conference just for CCIE recert as they did in the past. They could also just require a specific number of 3000-level classes be taken to recertify, again as in the past, instead of awarding points for other things like Techtorials. Thanks to Terry Slattery for helping me out with these last two points.

Additionally, tying CCIE CE credits to Cisco Live is a horrible way to push conference attendance. Most of the “cool stuff” happening at Cisco Live right now is happening in the DevNet Zone. Many people that I talked to ahead of the conference this year are strongly considering getting Explorer or Social passes next year and spending the whole time in the DevNet Zone instead of the conference proper. If Cisco wanted to push Cisco Live conference pass purchases, they would lock the DevNet Zone behind a more expensive pass.

Myth #3: There Are No Third Party CCIE CE Credits Because Cisco Hates Competition

This myth is currently a half truth. Yes, there are no third party CCIE CE options as of July 2017. Let’s go back to myth #1 and take a look at things. Why would Cisco open the program to the whole world and deal with all the hassle of auditing every potential source of CE credits just after launching the program? Sure, there are a lot of great providers out there. But, for every Narbik bootcamp there’s a bunch of shady stuff going on that isn’t on the up-and-up. But investigating the difference requires time and manpower, which aren’t easy to come by.

Ask yourself a simple question: Do you think Cisco will never have third party options? I can almost guarantee you the answer is no. Based on conversations I had with CCIE program people at Cisco Live this year, I would speculate that the CCIE CE program will expand in the future to encompass more training options, including third parties. I would bet the first inclusions will be certified trainers offering official courses. The next step will be auditing of classes for inclusion, like bootcamps and other semi-official classes. Expansion will be slow, but the classes that make the grade will help enhance the program.

What won’t be included? Youtube videos. Training webinars that are just cleverly disguised promotional pitches. Anything that is given without any way to track down the author and verify their knowledge level. And, as much as it pains me, I can almost guarantee that blog posts won’t count either. Cisco wants to be able to verify that you learned something and that you put in the effort. The only way to do that is through class attendance auditing and verification. Not through Youtube views or blog post counters.

Tom’s Take

For a program that’s less than a month old, there were a lot of people rushing to pass judgement on the hard work put into it. To pronounce the death of something that has endured for more than 20 years is a bit presumptuous. Is the current version of the CCIE CE program perfect? Nope. However, it’s better than the lack of a CE program we had three months ago. It’s also a work-in-progress that will only get better over time. It’s a program that Cisco is going to put significant investment into across the entire certification portfolio.

Rather than tearing down the hard work of so many people for the sake of ego stroking, let’s look at what was delivered and help the CCIE program managers build a bigger, better offering that helps us all in the long run. Cisco wants their CCIEs to succeed and go far in the networking world. And that’s no myth.

Every year at Cisco Live the CCIE attendees who are also NetVets get a special reception with John Chambers where they can ask one question of him (time permitting). I’ve had hit-or-miss success with this in the past so I wanted to think hard about a question that affected CCIEs the world over and could advance the program. When I finally did ask my question, no only was it met with little acclaim but some folks actually argued against my proposal. At that moment, I figured it was time to write a blog post about it.

I can hear many of you out there now jeering me and saying that it’s a dumb idea. Hear me out first before you totally dismiss the idea.

Many respected organizations that issue credentials have a program that records CPEs in lieu of retaking certification exams. ISACA, (ISC)^2, and even the American Bar Assoication use continuing education programs as a way of recertifying their members. If so many programs use them, what is the advantage?

CPEs ensure that certification holders are staying current with trends in technology. It forces certified individuals to keep up with new advances and be on top of the game. It rewards those that spend time researching and learning. It provides a method of ensuring that a large percentage of the members are able to understand where technology is headed in the future.

There seems to be some hesitation on the part of CCIEs in this regard. Many in the NetVet reception told me outright I was crazy for thinking such a thing. They say that the only real measure of recertification is taking the written test. CCIEs have a blueprint that they need to know and they is how we know what a CCIE is. CCIEs need to know spanning tree and OSPF and QoS.

Let’s take that as a given. CCIEs need to know certain things. Does that mean I’m not a real CCIE because I don’t know ATM, ISDN, or X.25? These were things that have appeared on previous written exams and labs in the past. Why do we not learn them now? What happened to those technologies to move them out of the limelight and relegate them to the same pile that we find token ring and ARCnet? Technology advances every day. Things that we used to run years ago are now as foreign to us as steam power and pyramid construction.

If the only true test of a CCIE is to recertify on things they already know, why not make them take the lab exam every two years to recertify? Why draw the line at simple multiple choice guessing? Make them show the world that they know what they’re doing. We could drop the price of the lab for recertification. We could offer recert labs in other locations via the remote CCIE lab technology to ensure that people don’t need to travel across the globe to retake a test. Let’s put some teeth in the CCIE by making it a “real” practical exam.

Of course, the lab recert example is silly and a bit much. Why do we say that multiple choice exams should count? Probably because they are easy to administer and grade. We are so focused on ensuring that CCIEs retrain on the same subjects over and over again that we are blind to the opportunity to make CCIEs the point of the spear when it comes to driving new technology adoption.

CCIE lab revamps don’t come along every six months. They take years of examination and testing to ensure that the whole process integrates properly. In the fourth version of the CCIE lab blueprint, MPLS appeared for the first time as a lab topic. It took years of adoption in the wider enterprise community to show that MPLS was important to all networkers and not just service provider engineers. The irony is that MPLS appears in the blueprint right alongside Frame Relay, a technology which MPLS is rapidly displacing. We are still testing on a twenty-year-old technology because it represents so much of a networker’s life as it is ripped out and replaced with better protocols.

Where’s the CCIE SDN? Why are emerging technologies so underrepresented in the CCIE? One could argue that new tech needs time to become adopted and tested before it can be a valid topic. But who does that testing and adoption? CCIEs? CCNPs? Unwitting CCNAs who have this thrust upon them because the CIO saw a killer SDN presentation and decided that he needed it right now! The truth is somewhere in the middle, I think.

Rather than making CCIEs stop what they are working over every 18 months to read up and remember how 802.1d spanning tree functions or how to configure an NBMA OSPF-over-frame-relay link, why not reward them for investigating and proofing new technology like TRILL or OpenFlow? Let the research time count for something. The fastest way to stagnate a certification program is to force it in upon itself and only test on the same things year after year. I said as much in a previous CCIE post which in many ways was the genesis of my question (and this post). If CCIEs know the only advantage of studying new technology is gaining a leg up with the CxO comes down to ask how network function virtualization is going to benefit the company then that’s not much of an advantage.

CPEs can be anything. Reading an article. Listening to a webcast. Preparing a presentation. Volunteering at a community college. Even attending Cisco Live, which I have been informed was once a requirement of CCIE recertification. CPEs don’t have to be hard. They have to show that CCIEs are keeping up with what’s happening with modern networking. That stands in contrast to reading the CCIE Certification Guide for the fourth or fifth time and perusing 3-digit RFCs for technology that was developed during the Reagan administration.

I’m not suggesting that the CPE program totally replace the test. In fact, I think those tests could be complementary. Let CPEs recertify just the CCIE exam. The written test could still recertify all the existing CCNA/CCNP level certifications. Let the written stand as an option for those that can’t amass the needed number of CPE credits in the recertification period. (ISC)^2 does this as do many others. I see no reason why it can’t work for the CCIE.

There’s also the call of fraud and abuse of the system. In any honor system there will be fraud and abuse. People will do whatever they can to take advantage of any perceived weakness to gain advantage. Similarly to (ISC)^2, an audit system could be implemented to flag questionable submissions and random ones as well to ensure that the certified folks are on the up and up. As of July 1, 2013 there are almost 90,000 CISSPs in the world. Somehow (ISC)^2 can manage to audit all of those CPE submissions. I’m sure that Cisco can find a way to do it as well.

Tom’s Take

People aren’t going to like my suggestion. I’ve already heard as much. I think that rewarding those that show initiative and learn all they can is a valuable option. I want a legion of smart, capable individuals vetting new technology and keeping the networking world one step into the future. If that means reworking the existing certification program a bit, so be it. I’d rather the CCIE be on the cutting edge of things rather than be a laggard that is disrespected for having its head stuck in the sand.

If you disagree with me or have a better suggestion, I implore you leave a comment to that affect. I want to really understand what the community thinks about this.

Share this:

Like this:

Among my more varied certifications, I’m a Certified Information Systems Security Professional (CISSP). I got it a few years ago since it was one of the few non-vendor specific certifications available at the time. I studied my tail off and managed to pass the multiple choice scantron-based exam. One of the things about the CISSP that appealed to me was the idea that I didn’t need to keep taking that monster exam every three years to stay current. Instead, I could submit evidence that I had kept up with the current state of affairs in the security world in the form of Continuing Professional Education (CPE) credits.

CPEs are nothing new to some professions. My lawyer friends have told me in the past that they need to attend a certain number of conferences and talks each year to earn enough CPEs to keep their license to practice law. For a CISSP, there are many things that can be done to earn CPEs. You can listen to webcasts and podcasts, attend major security conferences like RSA Conference or the ISC2 Security Congress, or even give a security presentation to a group of people. CPEs can be earned from a variety of research tasks like reading books or magazines. You can even earn a mountain of CPEs from publishing a security book or article.

That last point is the one I take a bit of umbrage with. You can earn 5 CPEs for having a security article published in a print magazine or other established publishing house. You can write all you want but you still have to wait on an old fashioned editor to decide that your material was worth of publication before it can be counted. Notice that “blog post” is nowhere on the list of activities that can earn credit. I find that rather interesting considering that the majority of security related content that I read today comes in the form of a blog post.

Blog posts are topical. With the speed that things move in the security world, the ability to react quickly to news as it happens means you’ll be able to generate much more discussion. For instance, I wrote a piece for Aruba titled Is It Time For a Hacking Geneva Convention? It was based on the idea that the new frontier of hacking as a warfare measure is going to need the same kinds of protections that conventional non-combat targets are offered today. I wrote it in response to a NY Times article about the Chinese calling for Global Hacking Rules. A week later, NATO released a set of rules for cyberwarfare that echoed my ideas that dams and nuclear plants should be off limits due to potential civilian casualties. Those ideas developed in the span of less than two weeks. How long would it have taken to get that published in a conventional print magazine?

I spend time researching and gathering information for my blog posts. Even those that are primarily opinion still have facts that must be verified. I spend just as much time writing my posts as I do writing my presentations. I have a much wider audience for my blog posts than I do for my in-person talks. Yet those in-person talks count for CPEs while my blog posts count for nothing. Blogs are the kind of rapid response journalism that gets people talking and debating much faster than an article in a security magazine that may be published once a quarter.

I suppose there is something to be said for the relative ease with which someone can start a blog and write posts that may be inaccurate or untrue. As a counter to that, blog posts exist and can be referenced and verified. If submitted as a CPE, they should need to stay up for a period of time. They can be vetted by a committee or by volunteers. I’d even volunteer to read over blog post CPE submissions. There’s a lot of smart people out there writing really thought provoking stuff. If those people happen to be CISSPs, why can’t they get credit for it?

To that end, it’s time for (ISC)^2 to start allowing blog posts to count for CPE credit. There are things that would need to change on the backend to ensure that the content that is claimed is of high quality. The desire to have only written material allowed for CPEs is more than likely due to the idea that an editor is reading over it and ensuring that it’s top notch. There’s nothing to prevent the same thing from occurring for blog authors as well. After all, I can claim CPE credits for reading a lot of posts. Why can I get credit for writing them?

The company that oversees the CISSP, (ISC)^2, has taken their time in updating their tests to the modern age. I’ve not only taken the pencil-and-paper version, I’ve proctored it as well. It took until 2012 before the CISSP was finally released as a computer-based exam that could be taken in a testing center as opposed to being herded into a room with Scantrons and #2 pencils. I don’t know whether or not they’re going to be progressive enough to embrace new media at this time. They seem to be getting around to modernizing things on their own schedule, even with recent additions of more activist board members like Dave Lewis (@gattaca).

Perhaps the board doesn’t feel comfortable allowing people to post whatever they want without oversight or editing. Maybe reactionary journalism from new media doesn’t meet the strict guidelines needed for people to learn something. It’s tough to say if blogs are more popular than the print magazines that they forced into email distribution models and quarterly publication as opposed to monthly. What I will be willing to guarantee is that the quality of security-related blog posts will continue to be high and can only get higher as those that want to start claiming those posts for CPE credit really dig in and begin to write riveting and useful articles. The fact that they don’t have to be wasted on dead trees and overpriced ink just makes the victory that much sweeter.